CVE-2022-41322 : In Kitty before 0.26.2, insufficient validation in the desktop notification esca

In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.

Published 2022-09-23 05:15:09

Updated 2023-03-03 18:48:56

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2022-41322

Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions
Kitty Project » Kitty
Versions before (<) 0.26.2
cpe:2.3:a:kitty_project:kitty:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-41322

EPSS FAQ

0.83%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 73 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-41322

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-41322

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-41322

https://security.gentoo.org/glsa/202209-22

Kitty: Arbitrary Code Execution (GLSA 202209-22) — Gentoo security
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/47RK7MBSVY5BWDUTYMJUFPBAYFSWMTOI/

[SECURITY] Fedora 37 Update: kitty-0.26.3-2.fc37 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://bugs.gentoo.org/868543

868543 – <x11-terms/kitty-0.26.2: arbitrary code execution via desktop notifications
Exploit;Issue Tracking;Patch;Third Party Advisory
https://github.com/kovidgoyal/kitty/commit/f05783e64d5fa62e1aed603e8d69aced5e49824f

Sanitize notifications ids as they are retransmitted over the TTY · kovidgoyal/kitty@f05783e · GitHub
Patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RRNAPU33PHEH64P77YL3AJO6CTZGHTX/

[SECURITY] Fedora 36 Update: kitty-0.26.3-2.fc36 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://sw.kovidgoyal.net/kitty/changelog/#detailed-list-of-changes

Changelog - kitty
Release Notes;Vendor Advisory
https://github.com/kovidgoyal/kitty/compare/v0.26.1...v0.26.2

Comparing v0.26.1...v0.26.2 · kovidgoyal/kitty · GitHub
Patch

Jump to

Vulnerability Details : CVE-2022-41322

Products affected by CVE-2022-41322

Exploit prediction scoring system (EPSS) score for CVE-2022-41322

CVSS scores for CVE-2022-41322

CWE ids for CVE-2022-41322

References for CVE-2022-41322